V-Series IRIS Panel - IP and MAC Addresses with consideration for NAC (Network Access Control) / PNAC (Port-Based Network Access Control)

Owned by Jonathan Sorensen, created
Last updated: Mar 11, 2022 by Juan A. Sanchez
4 min read

**The following applies to the LAN port(s) of the IRIS panel when using IVC or AES67. It does NOT apply to the Matrix connection.

 

V-Series IRIS panels offer two (2) assignable IP Addresses and two (2) fixed MAC addresses.

Note: When using an AES67 connection, both addresses are used. When using IVC connections, only one is used for intercom, but both are present on the device and network.

 

 

The IP Addresses are assignable from the Front Panel Menu, or from the CCM (Web Interface).

IP Addresses may be obtained from DHCP or set Statically.

The first IP Address will be used for AES67 Admin and for IVC connections.

The second IP Address will be used for AES67 Audio (media) only.

 

The MAC Addresses are fixed to the device. They can be found on the rear sticker of the panel.

Rear of IRIS Panel

 

The first MAC Address is assigned to the AES67 Admin/IVC IP Address

The second MAC Address is assigned to the AES67 Audio (media) IP Address

 

From the CCM (Web Interface), the MAC Addresses are associated as follows:

CCM (Web Interface) of IRIS Panel

In this example, 00:0E:98:06:19:7A will be associated with 10.50.1.221 for AES67 Admin/IVC

In this example, 00:0E:98:06:19:7B will be associated with 10.50.1.222 for AES67 Audio

 

From a networking view, each MAC will register with it’s associated IP Address.

This can be seen from a local PC by running an ARP request, like > arp -a

 

 

 

Since both of these addresses originate from a single Ethernet port on the IRIS Panel, the view from the network can appear as if 2 devices are on the same network port.

 

From a switch/router view, both MACs will register to the same physical port.

This can be seen by looking at the MAC Address Table (or binding) or ARP Table

For example, from Cisco CLI, the command is: #show mac address-table

*Note: both MAC Addresses are associated with the same physical port, gi1/0/4 in this example.

 

 

Network Security Considerations:

With regard to network security, there are numerous security mechanisms that may prevent 2 IP Address, and/or 2 MAC Addresses, from associating to a single physical port. This is often referred to as NAC (Network Access Control) or PNAC (Port-based Network Access Control), is addressed in the https://en.wikipedia.org/wiki/IEEE_802.1X standard, and can be deployed in several ways depending on network manufacturer.

If a network is blocking (or downing) a port or device due to this condition, one possible work-around is to allow both MAC Addresses (and/or IPs) to associate with the specific port. In most cases, the network is downing the port because it is assumed 2 MAC/IPs = 2 devices, hence the network blocking the second (unauthorized) device or closing the connection completely. A suggested approach to IT:

  1. Document all MAC Addresses from the IRIS Panels to be used.

    1. Provide specific MAC Addresses for Admin/IVC and AES67 Audio. (See Table Below)

  2. (Optional-Recommended) Set Static IPs for each IP on each device, and associate them with the proper MAC Address.

  3. Explain to IT (and show them the MAC Label) that both MAC Addresses and IPs belong to the same device.

    1. Again, the first IP/MAC is used for the Admin and IVC connection, the second for AES67 Audio.

  4. Ask IT to allow both MACs on the ports allocated for the IRIS Panels.

    1. They may write static MAC associations for each to retain proper security.

      1. Cisco Example: #mac-address-table static [mac address] vlan [vlan-id] interface [interface]

    2. (Optional - following Step 2 above)

      1. Ask IT to ensure two IP addresses are allowed on ports allocated for IRIS Panels.

 

Expectations on Panel Start-Up:

On start-up of the panel, from a device/network perspective, you can expect the following:

(with Static IPs set - times are approximate and can vary with network and versions)

~5 seconds (depending on network topology): MAC of Admin/IVC presented and registers to switch

~10 seconds: Admin/IVC port forwarding status shown

~20-30 seconds: Admin/IVC begins to respond to pings

~1:30 or as soon as AES67 is ready on the panel: the second MAC will present it itself and register with the switch and respond to pings

 

 

CAN'T FIND YOUR ANSWER? CLICK HERE TO CONTACT SUPPORT

This solution was provided to you by Clear-Com via a question submitted to us by customers like you. If your question wasn’t answered, you need help or you have a recommended solution for our database, please send us an email at support@clearcom.com

The information on this page is owned by Clear-Com and constitutes Clear-Com’s confidential and proprietary information, may be used solely for purposes related to the furtherance of Clear-Com’ business and shall not be disclosed, distributed, copied or disseminated without Clear-Com’s prior written consent. Click Here for Clear-Com's privacy statement.